1) If you run 'on premise', it's your choice whether you host your application on HTTP or HTTPS, this is not related to whether you're using SSHA256 or BCrypt. . We do recommend BCrypt for the scenario where your database is somehow compromised though.
2) The login is already done using POST, the 'loginForm' form element is only there to make sure the HTML looks nice. Did they just look at the HTML? If you watch the traffic you will see a POST being used.
3) I don't know enough on that topic, I would suggest to test it :)
don't use the field option but disable autocomplete on form level.